In an April 15, 2014 Risk Alert, the U.S. Securities and Exchange Commission's Office of Compliance Inspection and Examinations (OCIE) announced that it would conduct examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cybersecurity.

The OCIE Alert includes a sample request for information and documents that will be used in the initiative. This sample request for information and documents provides not only a roadmap for firms to prepare to respond to an exam, but also a guide for firms to consider in evaluating their policies and procedures.

The SEC and Cybersecurity JurisdictionAt first blush, one may wonder how does the SEC have jurisdiction related to cybersecurity issues. Most people view cybersecurity as a technology and IT issue, as opposed to a securities law issue. Cybersecurity, however, is an issue that is relevant to the securities laws in a number of respects—

First, Rule 30 of Regulation S-P requires broker-dealers, investment companies, and investment advisers to adopt written policies and procedures that address the protection of customer information and records.[1] Specifically, the policies and procedures must be reasonably designed to: (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security and integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. The SEC has brought enforcement actions for alleged violations under Rule of 30 of Regulation S-P.[2]

Second, Regulation S-ID requires that financial institutions establish and maintain programs that detect, prevent, and mitigate identity theft, if they maintain certain types of accounts for clients.[3] The rule requires financial institutions to implement written identity theft programs that (1) identify and incorporate relevant red flags; (2) detect ref flags; (3) respond to any red flags that are detected; and (4) periodically update the program to reflect the changes in risks.

Third, although the OCIE Alert does not apply to public companies that are not broker-dealers, investment companies or investment advisers, the SEC has provided guidance to public companies regarding the disclosure of cysbersecurity risks.[4] The SEC's guidance to public companies notes that "[a]lthough no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents." The SEC guidance goes on to enumerate several areas where a cybersecurity risks and incidents may be required to be disclosed.

OCIE Jurisdiction and AlertOCIE administers the SEC's nationwide examination and inspection program of registered broker-dealers, investment advisers, investment companies, the national securities exchanges, clearing agencies, SROs, such as Financial Industry Regulatory Authority (FINRA), the Municipal Securities Rulemaking Board (MSRB) and the Public Company Accounting Oversight Board (PCAOB). OCIE stated that "[t]hese examinations will help identify areas the Commission and the industry can work to protect investors and our capital markets from cybersecurity threats." OCIE's Risk Alert comes on the heels of the SEC's recent Cybersecurity Roundtable, which was a gathering of industry and regulators to discuss the issues and challenges cybersecurity raises for market participants and public companies, and how they are addressing those concerns.

In its Risk Alert, OCIE provided a sample request for information and documents that it may ask for from firms in its cybersecurity initiative. Some of the questions asked track information outlined in the National Institute of Standards and Technology's (NIST) "Framework for Improving Critical Infrastructure Cybersecurity." OCIE's sample requests focus on five specific topic areas—

1) Identification of risks/cybersecurity governance;

2) Protection of firm networks and information;

3) Risks associated with remote access and funds transfer requests;

4) Risks associated with vendors and other third parties; and

5) Detection of unauthorized activity.

The sample requests also asks how do firms identify relevant best practices and whether firms have experienced certain events since January 2009. These events include the detection of malware; a denial of service attack; impairment of the availability of critical firm web or network resources; a breach of the firm's network by an unauthorized used; the compromise of a customer or vendor's computer used to remotely access the firm's network; the receiving of fraudulent emails purportedly from customers seeking to direct transfers of customer funds or securities; an extortion attempt by an individual or group threatening to impair access to or damage the firm's data, devices, network, or web services; and the misappropriation of funds, securities, sensitive customer or firm information or damage to the firm's network or date by an employee or authorized user of the firm's network. OCIE requests that firms provide detail information regarding the above events, including how some of those events were caused and remedied.

Looking AheadGiven OCIE's Risk Alert and the SEC's focus on cybersecurity, all broker-dealer, investment companies, and investment advisers, as well as financial institutions should reassess and reevaluate their cybersecurity policies and procedures. In doing so, they should compare their policies to OCIE's sample requests for information to ensure that there are not areas or issues for which their policies and procedures do not cover.

Looking ahead, one can expect that the SEC will focus particular attention on cybersecurity policies and procedures and cybersecurity incidents and responses thereto in their exams of financial professionals. Further, one can expect more enforcement matters for any alleged failures in those policies or procedures or in responding to cybersecurity incidents.

[2]See e.g., Exchange Act Release No. 395, 2010 WL 2000509 (May 19, 2010 (finding firm violated Rule 30(a) of Regulation S-P by failing to have written policies and procedures that address that addressed administrative, technical, and physical safeguards for the protection of customer records and information and that were reasonably designed to provide the security and protection of those records)

George Kostolampros represents a wide array of clients, including public companies and their officers, directors, and employees and financial industry professionals in investigations and litigation by the U.S. Securities and Exchange Commission, the Department of Justice, Financial Industry Regulation Authority, and other federal and state law enforcement and regulatory agencies.

Mr. Kostolampros also advises clients with respect to corporate governance, internal controls and compliance programs. His compliance-related work has involved counseling clients on various aspects of the securities laws and drafting policies and procedures, including codes of conduct, insider trading, anti-corruption and FCPA, and other policies. Mr. Kostolampros has also counseled broker-dealers and investment advisers as to regulatory and compliance-related issues. Mr. Kostolampros also conducts internal investigations for clients.

John Vaughn is a Partner in the Firm's Commercial Litigation Division and is a resident in the San Diego office and also part time in the San Francisco office. Mr. Vaughn is the Founder and Chairperson of the Firm’s FINRA Dispute Resolution Practice Group.